Skip to content

Instantly share code, notes, and snippets.

Last active January 3, 2019 15:36
Show Gist options
  • Save louisvernon/ca9f8b6aac913fa620fbb8f59f16581e to your computer and use it in GitHub Desktop.
Save louisvernon/ca9f8b6aac913fa620fbb8f59f16581e to your computer and use it in GitHub Desktop.
Halyard configuration for GKE plus Spinnaker deployment
# execute from remote path
cd $(cd -P -- "$(dirname -- "$0")" && pwd -P)
BACKUP_ID=$(date '+%d-%M-%Y-%s')
mv ~/.hal ~/hal$BACKUP_ID
source config_vars
if [! "$CLSID" = "" ]; then
$QUIET = "-q"
#kubectl config current-context
hal $QUIET config version edit --version ${SPINNAKER_VERSION}
wget --quiet${GCLOUD_VERSION}-linux-x86_64.tar.gz
tar xf google-cloud-sdk-${GCLOUD_VERSION}-linux-x86_64.tar.gz
google-cloud-sdk/bin/gcloud auth activate-service-account --key-file=/tmp/account.json
google-cloud-sdk/bin/gcloud container clusters get-credentials ${cluster_name} --zone ${zone} --project ${project}
secret=$(kubectl get sa ${SPINNAKER_SERVICE_ACCOUNT} -o jsonpath={})
kubectl get secret ${secret} -o jsonpath={..token} > /tmp/LOCAL_TOKEN
SPINNAKER_PROFILE=$(kubectl config current-context)
kubectl config set-credentials ${SPINNAKER_PROFILE} --token=$(cat /tmp/LOCAL_TOKEN | base64 -d)
# let's build the contexts for all other clusters and register pubsub queues while we're at it
hal config pubsub google enable
cat managed_clusters | while IFS=: read -r MANAGED_CLUSTER MPROJECT MZONE; do
echo "Adding kubectl context for cluster ${MANAGED_CLUSTER} in project ${MPROJECT} with spinnaker"
google-cloud-sdk/bin/gcloud container clusters get-credentials ${MANAGED_CLUSTER} --zone ${MZONE} --project ${MPROJECT}
secret=$(kubectl get sa ${SPINNAKER_SERVICE_ACCOUNT} -o jsonpath={})
kubectl get secret ${secret} -o jsonpath={..token} > /tmp/${MANAGED_CLUSTER}_TOKEN
USER_PROFILE=$(kubectl config current-context)
kubectl config set-credentials ${USER_PROFILE} --token $(cat /tmp/${MANAGED_CLUSTER}_TOKEN | base64 -d)
echo "Creating subscription ${SUBSCRIPTION} for GCR pubsub topics"
google-cloud-sdk/bin/gcloud -q beta pubsub subscriptions create $SUBSCRIPTION --topic projects/${MPROJECT}/topics/gcr --topic-project ${MPROJECT}
} || {
echo "${SUBSCRIPTION} already exists"
hal config pubsub google subscription add $SUBSCRIPTION \
--subscription-name $SUBSCRIPTION \
--json-path /tmp/account.json \
--project $MPROJECT \
--message-format GCR
kubectl config use-context ${SPINNAKER_PROFILE}
kubectl get secret deployment -o jsonpath="{..SPINNAKER_GH_TOKEN}" | base64 -d > /tmp/GH_TOKEN
# enable the kubernetes account
hal $QUIET config provider kubernetes enable
# add gcs bucket
hal $QUIET config storage gcs edit --project ${project} \
--bucket-location ${SPINNAKER_BUCKET_LOCATION} \
--bucket ${SPINNAKER_BUCKET} \
hal $QUIET config storage edit --type gcs
# setup docker registries for config
hal $QUIET config provider docker-registry account add spinnaker-usgcr-account --address= --username=_json_key --password-file=/tmp/account.json
hal $QUIET config provider docker-registry account edit spinnaker-usgcr-account --cache-interval-seconds 300
hal $QUIET config provider docker-registry enable
hal $QUIET config features edit --artifacts true
hal $QUIET config artifact github enable
# uses personal github access toke
hal $QUIET config artifact github account add github-artifact-account \
--token-file /tmp/GH_TOKEN
hal $QUIET config provider kubernetes account add ${cluster_name} \
--docker-registries spinnaker-usgcr-account \
hal config security ui edit \
--override-base-url ${SPINNAKER_UI_URL}
hal config security api edit \
--override-base-url ${SPINNAKER_API_URL}
hal $QUIET config deploy edit --account-name ${cluster_name} --type distributed #--location spinnaker
kubectl get pods
read -ra CONTEXTS <<<$(kubectl config view -o jsonpath='{.contexts[*].name}')
for CONTEXT in "${CONTEXTS[@]}"; do
if [ "$CONTEXT" != "$SPINNAKER_PROFILE" ]; then
echo "Registering context ${CONTEXT} with Spinnaker"
hal $QUIET config provider kubernetes account add ${CONTEXT}v2 \
--provider-version v2 \
--context ${CONTEXT}
hal $QUIET config provider kubernetes account add ${CONTEXT##*_} \
--provider-version v2 \
--context ${CONTEXT}
echo "Deploying Spinnaker"
# setup authorization
export CREDENTIALS=/tmp/spinnaker_gsuite.json
hal config security authz google edit \
--admin-username $ADMIN \
--credential-path $CREDENTIALS \
--domain $DOMAIN
hal config security authz edit --type google
# hal config security authz enable
# setup authentication
SPINNAKER_CLIENT_ID=$(kubectl get secret deployment -o jsonpath="{..SPINNAKER_CLIENT_ID}" | base64 -d)
SPINNAKER_CLIENT_SECRET=$(kubectl get secret deployment -o jsonpath="{..SPINNAKER_CLIENT_SECRET}" | base64 -d)
hal config security authn oauth2 edit \
--client-id $SPINNAKER_CLIENT_ID \
--client-secret $SPINNAKER_CLIENT_SECRET \
--provider google \
--pre-established-redirect-uri ${SPINNAKER_API_URL}/login \
--user-info-requirements hd=$DOMAIN
hal config security authn oauth2 enable
# setup logging/monitoring
hal config metric-stores stackdriver edit \
--credentials-path /tmp/account.json
#modify X-Forwarded- behaviour using custom conf:
mkdir ~/.hal/default/profiles
cp /tmp/patched_gate-local.yml ~/.hal/default/profiles/gate-local.yml
SPINNAKER_SLACK_TOKEN=$(kubectl get secret deployment -o jsonpath="{..SPINNAKER_SLACK_TOKEN}" | base64 -d)
echo $SPINNAKER_SLACK_TOKEN | hal config notification slack edit --bot-name dl_spinnaker --token
hal deploy apply
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment